As an increasing amount of information is being stored electronically, and as the number of transactions performed electronically increases, there is an ever increasing need to protect sensitive information in an electronic environment. This includes not only securing the storing and transmitting of information, but also securing access to the information. A common approach is to encrypt information using an encryption algorithm or cipher to encode information such that the information can only be decrypted or otherwise interpreted using the same cryptographic key. Managing these cryptographic keys has been a challenge for many organizations for years. In order to improve security and minimize the risk that information will be accessed by an unauthorized user obtaining one of these keys, a unique key can be used for each instance of information. For example, a first unique key might be used to transmit a piece of information, a second unique key might be used to store the information, and a third unique key might be needed to obtain access to the information. Alternatively, a separate key can be used for each piece of data that is stored or transmitted. Such an approach generally does not scale well and presents further challenges with managing the keys in this scenario. Further, there can be several such pieces of information in any given system, such as credit card information, user data, database passwords, access keys, etc.
A potential problem presents itself in that these keys and other such security items must be stored and maintained in a secure fashion. Essentially, the keys themselves become the equivalent classification of the sensitive information those keys are protecting. Some previous approaches hardcoded passwords into application binaries that needed to securely access a resource such as a database, but this is a weak and ineffective obfuscation technique with the password then viewable not only by the programmer entering the password into the application, but also to any user able to access the source code. Such approaches also typically require manual entry of each password on each device, as well as manual rotation of the passwords on each device. Various insecurities arise as the number of people having access to secure objects, including keys or passwords, increases. Further, if material is to be re-encrypted at various times using different secure objects, then the re-encryption also has to be done manually and generally increases the number of people having access to the secure objects. Certain programming languages such as Java provide functionality that allows a user to store sensitive information in a relatively secure fashion. Unfortunately, such approaches tend to be tightly coupled to the programming language or technology, and cannot easily be used with outside technology and are still largely ineffective.
Another problem with managing sensitive information is that generating code to implement cryptography effectively is very difficult. There are a number of different cryptographic approaches and algorithms, and it is difficult to know when it is advantageous to use each approach. While certain third party toolkits are available that assist with such coding and encryption, these toolkits are still relatively complex and require managing several toolkits to obtain all the desired functionality. Further, not all toolkits have been subjected to lengthy cryptanalysis so may prove to be a poor implementation once an expensive investment has been made to use the toolkit.
Even if an encryption solution is selected, there still are disadvantages to many such approaches in that higher security levels require a periodic rotation or changing of encryption keys. Thus, it is typically necessary to manually adjust the keys used for encryption. Such an approach can be particularly complex in a distributed environment with a number of devices that each must obtain the key.